FBI Warns Of Syrian Electronic Army Hacking Threat

Recent string of high-profile website and Twitter takedowns leads some security professionals to question whether hackers are getting help from Iran.

(click image for larger view)

The Syrian Electronic Army: 9 Things We Know

The FBI Cyber Division has issued an alert to media outlets to beware compromise by the Syrian Electronic Army (SEA), and urged them to report any suspicious network traffic or behavior to the bureau.

The advisory recaps how the "pro-regime hacker group that emerged during Syrian anti-government protests in 2011 [...] has been compromising high-profile media outlets in an effort to spread pro-regime propaganda."

"The SEA's primary capabilities include spear-phishing, Web defacements, and hijacking social media accounts to spread propaganda," read the advisory. "Over the past several months, the SEA has been highly effective in compromising multiple high-profile media outlets."

The alert was issued following the SEA's large disruption of The New York Times website and smaller outages at Twitter and The Huffington Post U.K. That built on a string of previous defacements, including the Twitter accounts for Associated Press, BBC and Reuters, as well as Gmail accounts used by the White House media team.

Many of those takedowns were accomplished using cheap-and-easy spear-phishing attacks, often designed to separate victims from their Google login information, which the hackers then use to seize control of Twitter feeds and send further phishing emails.

In the wake of the FBI's recent advisory, the SEA doesn't appear to be running scared. In fact, the group Friday tweeted a link to the advisory from one of its Twitter accounts.

Bravado aside, the SEA's increasingly big -- and sophisticated -- takedowns have lead some security experts to ask if the group isn't getting outside help. ''I don't think it would be unreasonable to suspect someone more skilled is helping them out,'' Adam Myers, vice president of intelligence for security firm CrowdStrike, told The Sydney Morning Herald in Australia. Notably, the group appears to have graduated from mere Twitter account takeovers to stealing details on users of video and voice app Tango, as well as the Times and Twitter takedowns, which involved exploiting a never-before-seen DNS registry.

"They've been improving [their methods] over the past couple months. I would not rule out some outside influence giving them pointers,'' said CrowdStrike's Myers. ''I think the likely candidate would be Iran.''

Other information security professionals have also noticed the SEA's increasing skills. "They exposed some world-class exposures in some world-class environments," Carl Herberger, VP of security solutions for Radware, said in a recent phone interview. "To take down The New York Times website? Pretty impressive. To expose some security problems in Twitter, even if the rest of the world didn't know they were there? Very impressive."

Has that lead to a more concerted effort by the FBI to identify and arrest the SEA's members? No doubt the bureau is working overtime to do so. But some recent press reports have sensationalized those efforts, given that the FBI has remained mum on any related investigations. For example, International Business Times reported Thursday that the FBI's advisory said that "anyone found to be aiding the SEA will be seen as terrorists actively aiding attacks against the U.S. websites." In fact, the FBI's advisory made no such claims.

If the bureau has identified the hackers involved in the SEA, however, the suspects should watch where they travel. Earlier this week, for example, Russia issued a travel advisory warning Russians accused of cybercrimes to beware international travel, reportedWired. The notice, issued by Russia's Foreign Ministry, warned citizens to "refrain from traveling abroad, especially to countries that have signed agreements with the U.S. on mutual extradition, if there is reasonable suspicion that U.S. law enforcement agencies" are investigating their activities. That notice was issued in the wake of the June arrest -- based on an Interpol Red Notice -- in the Dominican Republic of Russian Aleksander Panin, an alleged hacker charged in a $5 million online banking heist. Also this year, Russian national Maxim Chuhareva was arrested in Costa Rica as part of the Secret Service's Liberty Reserve crackdown.

Could some elements of the SEA now be operating from Russia? Interestingly, the SEA's servers were relocated to Russia after Network Solutions seized the group's domain names, apparently acting on a Department of Justice request. In retaliation for that embarrassing turn, the self-described teenage leader of the group, known as "Th3 Pr0" (pronounced "the pro") hacked AP's Twitter feed, issuing a bogus alert that President Obama had been injured in a bomb blast. The tweet temporarily erased $200 billion in value from the U.S. stock market.

The SEA's - Train your enemies, give them Guns, Ammo, and educate them in high technology, in the United States, and other free countries, and this is what we have.The playing field for war, electronic and otherwise is being leveled. What countries choose to do with knowledge cannot be controlled once we educate them. The Goal is for the free world, is to be farther ahead of the threat, which is becoming much more difficult.

I think Adam Myers needs to have a little outside influence to learn how this works. At the end of the day these are phishing attacks. Mobile apps? If people knew how insecure these things are or what information they send to companies they wouldn't use them.

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.